Method for operating a control device

ABSTRACT

The present invention relates to a method for operating a control unit for controlling or regulating a function of a motor vehicle. The control unit includes a programmable memory device. The control or regulation is realized by executing a computer program (P 0 ) at least partially stored in the memory device and by using data (D 0 ) stored at least partially in the memory device. In order to offer the most efficient protection against manipulation of the contents of the memory device by an unauthorized person, it is provided that, at least following a modification of the computer program (P 0 ) stored in the memory device or of the data (D 0 ) stored in the memory device, the modified computer program (P 1 ) is executed only and/or the modified data (D 1 ) are used only if the modified computer program (P 1 ) and/or the modified data (D 1 ) has/have been successfully verified.

FIELD OF THE INVENTION

[0001] The present invention relates to a method for operating a controlunit. The control unit is used, e.g., to control or regulate a functionof a motor vehicle. The control unit includes a programmable memorydevice. The control or regulation of the motor vehicle function isrealized by executing a computer program that is at least partiallystored in the memory device and by using data stored at least partiallyin the memory device.

BACKGROUND INFORMATION

[0002] It is known in the art to use control units to control orregulate an internal combustion engine, a transmission, a steer-by-wiresystem, an air-conditioning system, etc., of a motor vehicle. On the onehand, the memory device of a control unit must allow the occasionalmodification of the computer program stored in the memory device and ofthe data stored therein, so that new program versions or modifiedlimiting values, for example, may be realized for a regulation orcontrol. For this purpose, the memory areas of the memory device inwhich the computer program and/or the data are/is stored, are deletedand overwritten by a modified computer program and modified data. On theother hand, it must be prevented, however, that unauthorized personsstore a manipulated computer program and/or manipulated data in thememory device, since such actions may cause malfunctions of the controlunit, which may ultimately result in a defect of the components to becontrolled or regulated.

[0003] Published German patent document DE 196 19 354 describes a methodfor safeguarding a programming procedure in such a way that preciselythose bytes that are also listed in a programming database may beprogrammed into the program device. The described method is a simplifiedhash-total method. In this process, so-called self-control data arewritten into the memory device of the control unit, concurrently withthe computer program and the data. Since it is too time-consuming toinclude each programmed byte in a hash-total calculation, individualbytes or byte samples are extracted at random, in order to test thecorrect programming of the memory device on this basis. Such correctprogramming exists when all self-control data are found in theappropriate memory areas. This known method thus safeguards only theactual programming procedure. It does not protect against the memorydevice being programmed with a manipulated computer program and/ormanipulated data. It also does not protect against the execution of amanipulated computer program and the use of manipulated data. Since theself-control data are part of the computer program or the data stream,unauthorized persons may manipulate the self-control data relativelyeasily in such a way that, despite a manipulated computer program ordespite manipulated data, a correct programming of the memory device isdetected and the manipulated computer program is executed using themanipulated data.

[0004] Published German patent document DE 196 23 145 describes a methodfor preventing an inadvertent execution of a delete and/or programroutine of a control program for a memory device of a control unit. Thisis achieved in that, prior to the execution of a delete and/or programroutine of the control program, other program components (so-calledunlock sequences) must be executed or passwords input. Furthermore, itis ascertained whether an activated testing or programming device isconnected before a delete or program routine is executed. Additionalprotection against unintentional overwriting of a computer programstored in the memory device of a control unit and/or of data storedtherein is obtained by storing the executable code of the computerprogram and/or the data outside of their destination address. Forexample, it is recommended to store a RAM program outside the RAM, sothat the program must be copied into the RAM prior to execution.However, the known method is unable to prevent the execution of analtered computer program stored in the memory element and/or the use ofaltered data stored therein.

[0005] An objective of the present invention is to provide an efficientprotection against manipulation of the contents of a memory device of acontrol unit by unauthorized persons.

SUMMARY OF THE INVENTION

[0006] To achieve this objective, it is provided that, at leastfollowing a modification of the computer program stored in the memorydevice or of the data stored in the memory device, the modified computerprogram is executed, and/or the modified data used only if the modifiedcomputer program and/or the modified data have/has been successfullyverified.

[0007] According to the present invention, it is provided that the newcomputer program or the new data is/are blocked after a reprogramming ofthe computer program and/or the data until the verification of thecomputer program or the data has been successfully completed. Thus, itis not the programming per se that is prevented, but the execution ofthe program or the use of the data if the result of the verification hasindicated that these were manipulated by an unauthorized person. Theverification may be implemented before each execution of a modifiedcomputer program or before each use of modified data, or it may becarried out at any desired interval (for example, randomly or regularlyas a function of the vehicle mileage, the driving hours, the absolutetime or of the number of executions of the computer program). A failedverification of the modified computer program or of the modified datamay temporarily block an execution of only the modified portion of thecomputer program or even of the entire computer program, and similarlyblock a use of only the modified data or else the use of the entiredata.

[0008] The memory element is designed, for instance, as a nonvolatile,rewritable memory device, e.g., a flash EPROM (electronicallyprogrammable random access memory). The verification of the modifiedcomputer program and/or the modified data is realized in the form of acontrol program, for instance, which is likewise stored in the memorydevice. The computer program includes a so-called driving program whoseexecution fulfills the control or regulating function assigned to thecontrol unit, and a control program that is responsible for the deletionand the programming of the memory areas and for checking the modifiedprograms or data to be stored in the memory areas.

[0009] According to an example embodiment of the present invention, itis provided that, within the framework of the modification of thecomputer program and the data, at least the particular memory area ofthe memory device in which the computer program and/or the data are/isstored is deleted, and that the modified computer program and/or themodified data is/are subsequently stored in the memory device. A memoryarea usually includes at least one sector, i.e., 32 kbit. If onlyindividual bytes of a memory area and not the entire memory area is tobe modified in a flash EPROM, the entire content of the correspondingmemory area may first be copied to an intermediate memory, such as a RAM(random access memory). There the respective bytes are then modified,the memory area deleted, and the entire modified content reprogrammedinto the memory area again.

[0010] According to an example embodiment of the present invention, itis provided that the at least partial deletion of the memory device andthe storing of the altered computer program and/or the altered data inthe memory device are initiated by a control program that is also storedin the memory device. The control program receives an instruction forthe reprogramming of a particular memory area or a part thereof, from anexternal programming device located outside the control unit, forexample. The control program is then able to delete the correspondingmemory area or a part thereof and to reprogram it with the alteredcomputer program or the altered data. After the computer program or thedata has/have been changed, the control program verifies the modifiedcontent of the respective memory area or a part thereof and allows theexecution of the computer program or the use of the data only after asuccessful verification of the altered contents.

[0011] Prior to making changes to a memory area or a part thereof, thecontrol program is copied, as a backup copy (so-called backup), into amemory area outside of the memory area to be deleted or the part thereofthat is to be deleted. It is provided that a deletion of a memory areain which the computer program or the data is/are stored is initiatedonly if the control program has been successfully copied, as a backup,into a memory area outside of the memory area that is to be deleted. Themodification of the contents of a memory area or a part thereof isinitiated by the backup. Providing the backup ensures that a controlprogram for the modification of the content of the memory area or of apart thereof is assuredly still available even after a computer programor data has/have been altered.

[0012] In accordance with the present invention, an altered controlprogram is stored in the memory device as well, together with themodified computer program or the modified data. The altered controlprogram is first checked by the backup. Only then will it initiate theverification of the memory areas in which the modified computer programand/or the modified data is/are stored before a later execution of themodified computer program. Depending on the result of the verification(successful or unsuccessful), an execution of the modified computerprogram or a use of the modified data will either be possible orimpossible.

[0013] In the event that the computer program and/or the data is/are tobe changed, the backup of the old control program is first generated.The backup deletes the old computer program (including the old controlprogram) and/or the old data. Then the backup programs the new computerprogram (including the new control program). Only when the new computerprogram is programmed into the corresponding memory area of the controlunit will it likewise be checked by the backup and be declared valid, ifappropriate. In a valid new computer program, the new control program isvalid as well. A subsequent deletion, programming, checking and avalidity declaration of the data area, if appropriate, are then acceptedby the valid new control program. Alternatively, it is also possiblethat the backup is responsible for the deletion, the programming,checking and the validity declaration, if appropriate, both of thecomputer program area and also of the data area. However, that assumesthat the backup is stored in a memory area outside the computer programarea and the data area.

[0014] If the deletion, programming, checking and, if appropriate, thevalidity declaration of the computer program area are executed by thebackup and the deletion, programming, checking and the validitydeclaration, if appropriate, of the data area are executed by thechecked new control program, it is provided that a deletion of the dataarea is implemented only if the altered computer program has beenverified successfully.

[0015] The backup of the control program implements the storing of themodified computer program or the modified data in the memory device. Thebackup also initiates the verification of the altered computer programand/or the altered data.

[0016] According to another example embodiment of the present invention,it is provided that the verification of the modified computer programstored in the originally not yet reprogrammed memory region, or theverification of the modified data stored therein, is implemented by thebackup of the control program, which has been stored in the memorydevice together with the modified computer program and/or the modifieddata.

[0017] The result of the verification is stored in the control unit in anonvolatile manner. The result is stored in the memory device of thecontrol unit, the backup of the control program implementing the storingof the result. Before the modified program is executed, or before themodified data are used, the backup first checks whether a predefinedresult of the verification is stored in the control unit.

[0018] The result of the verification may be embodied as a test sampleor a plurality of test samples stored in predefined locations in thosememory areas of the memory device that have been successfully verified.These memory areas are automatically deleted in a reprogramming. Thememory areas may be programmed only by the control unit itself, that is,from the inside. A programming from the outside is not possible sincethe memory areas are not addressable from the outside.

[0019] Prior to an execution of the modified program, or prior to theuse of the modified data, it is then ascertained whether the correcttest samples are stored in the right locations in the memory device. Toverify the modified computer program or the modified data, an exampleembodiment of the present invention provides that the content is checkedin the predefined locations of those memory areas in which the modifiedcomputer program or the modified data has/have been stored. Since themodified control program is part of the modified computer program, themodified control program is safeguarded via the modified computerprogram.

[0020] To verify the altered computer program or the altered data, ahash-total computation or a signature check may be executed.

[0021] Of particular importance is the realization of the methodaccording to the present invention in the form of a memory device for acontrol unit of a motor vehicle. In this context, a control program thatis able to run on a computing element of the control unit, e.g., on amicroprocessor, and is suitable for carrying out the method according tothe present invention, is stored on the memory device. In this case, thepresent invention is therefore realized by a control program stored onthe memory device, so that this memory device provided with the programconstitutes the present invention in the same way as the control methodfor whose execution the control program is suitable. An electricalmemory medium, for example, a read-only memory, a random-access memory,or a flash memory, may be used as memory device.

[0022] The present invention also relates to a control program which issuited to implement the method according to the present invention whenit runs on the computing device. In this context, the control program isstored on a memory device, e.g., on a flash memory.

[0023] As another way of achieving the object of the present invention,means are provided in the control unit so that, at least after amodification of the computer program stored in the memory device or ofthe data stored in the memory device, a verification of the modifiedcomputer program and/or the modified data may be implemented, in orderto prevent an execution of the modified computer program and/or the useof the modified data until the modified computer program and/or themodified data has/have been successfully verified. These means may berealized in the form of an expansion for a control program by means ofsoftware.

BRIEF DESCRIPTION OF THE DRAWINGS

[0024]FIG. 1 shows a schematic illustration of a memory device accordingto the present invention, in four different method steps.

[0025]FIG. 2 shows a control unit according to the present invention.

[0026]FIG. 3 shows a flow chart of the method according to the presentinvention.

DETAILED DESCRIPTION

[0027] In FIG. 2, a control unit according to the present invention, forcontrolling and/or regulating functions in a motor vehicle, isdesignated in its entirety by reference numeral 2. Control unit 2includes a memory device 1 and a computing device 3, e.g., amicroprocessor. Input signals 4 from sensors and sensing elements, whichprovide control unit 2 with information regarding the state of the motorvehicle or the functions to be controlled or regulated, are present atcontrol unit 2. Control unit 2 generates output signals 5 in order tocontrol actuators for influencing the vehicle functions that are to becontrolled or regulated. Using data that are likewise stored on memorydevice 1, output signals 5 are determined as a function of input signals4 on the basis of a computer program that is stored in memory device 1and able to run on computing device 3. A data-transmission line 6 isarranged between memory device 1 and computing device 3. For execution,the computer program is transmitted either in its entirety or accordingto instruction from memory device 1 to computing device 3, using datatransmission line 6. Via line 6, data are also transmitted from memorydevice 1 to computing device 3 for processing, and newly calculated dataare transmitted from computing device 3 to memory device 1 for storing.

[0028]FIG. 1 shows a schematic illustration of memory device 1 accordingto the present invention, in four different steps I through IV duringexecution of a method according to the present invention. Acorresponding flow chart of the method of the present invention isillustrated in FIG. 3. To the right of the functional and query blocksin FIG. 3, the designation of the particular control program A0, A0′ orA1 initiating the appropriate method steps is indicated.

[0029] Memory device 1 includes two memory areas P and D, which areindependent of one another. A memory area usually includes at least onesector, e.g., 32 kbit. Memory area P is also referred to as program areaand has content P0 at the beginning of the method, P0 standing for acomputer program that is stored in memory area P. Memory area D is alsoknown as data area and has content D0 at the beginning of the method, D0standing for data that are stored in memory area D.

[0030] Memory area P also includes a control program A0 with delete andprogram routines to modify computer program P0 stored in memory device 1or to modify data D0 stored therein.

[0031] Stored in predefined locations in memory areas P and D are testsamples Mp0 and Md0, which are used to verify computer program P0 storedin device element 1 or data D0 stored there.

[0032] When a new computer program P1 or new data D1 is/are stored inmemory device 1, new test samples Mp1 and Md1 are also stored in thecorresponding memory areas P and D. Test samples Mp1 and Md1 areascertained during the programming of memory areas P and D and storedtherein. Test samples Mp0, Mp1 and Md0, Md1 are not part of the code tobe programmed into memory areas P and D. A write command initiated by adelete and program routine in those locations where test samples Mp0,Mp1 and Md0, Md1 are stored is ignored, so that test samples Mp0, Mp1and Md0, Md1 cannot be manipulated from the outside.

[0033] In the following, the reprogramming of memory device 1 isdiscussed in greater detail. Memory device 1 shown in step I forms thebasis. Memory areas P and D are overwritten in succession by the newcontents P1 and D1, via a delete and program routine of the controlprogram. However, it is easily possible to overwrite memory areas P andD individually, without overwriting the other memory area D or P aswell.

[0034] By applying a corresponding command for reprogramming from theoutside with the aid of a testing or programming device, the methodshown in FIG. 3 is started in a functional block 10. At the beginning ofthe reprogramming, a backup A0′ of control program A0 is first generatedin a functional block 11 and stored in a memory area D that is locatedoutside of memory area P to be reprogrammed (step 1I). Backup A0′ thencoordinates the reprogramming of memory area P. A delete command tomemory area P is executed only once backup A0′ into memory area D hasbeen successfully completed. Whether backup A0′ was successful or not ischecked in a query block 12.

[0035] Following a successful backup, A0′ controls the programming ofmemory area P (functional block 13) with content P1 (step III). The newcomputer program P1 also includes a new control program A1 with newdelete and program routines. Finally, backup A0′ of the control programimplements a verification of the newly programmed memory area P in afunctional block 14.

[0036] For verification, a hash-total calculation or a signature checkof all previously programmed bytes is implemented, for instance. In aquery block 15, it is ascertained whether the verification of memoryarea P was successful. If this was the case, a test sample Mp1 is storedin a certain location in memory area P in a nonvolatile manner, in afunctional block 20. The storing of test sample Mp1 is implemented bybackup A0′ of the control program. During a reprogramming, the memoryareas where test sample Mp1 is stored are automatically deleted. Thesememory areas may be programmed only by control unit 2 itself, that is,from the inside. An external programming is not possible since thememory areas are not addressable from the outside. Test sample Mp1 iseither already known or is ascertained as a function of newly storedcomputer program P1 including new control program A1.

[0037] Before each execution of new computer program P1 or before eachuse of new data D1, instead of checking the entire memory region P, D itis ascertained only whether the correct test sample Mp1 is stored in theright location in the memory area.

[0038] Test sample Mp1 is a validity stamp, which indicates that memoryarea P1 assigned thereto, including A1, is correct in all programmedbytes. Test sample Mp1 is thus a replacement for a complete hash-totalcheck of all programmed bytes at each power-up of control unit 2,because a complete check of control unit 2 is much more time-consumingthan a check of test pattern Mp1 only.

[0039] The reprogramming of memory area D is prevented by backup A0′until entire memory area P having content P1, including new controlprogram A1, has been successfully verified.

[0040] The reprogramming of memory area D is then implemented by newcontrol program A1, which has been declared valid and correct in theprevious step. As soon as memory area P has been verified successfully,memory area D, that is, backup A0′ stored therein, is deleted andoverwritten by new data D1 (functional block 16). Finally, new controlprogram A1 implements a verification of newly programmed memory area Din a functional block 17, a successful verification of memory area Dbeing checked in a query block 18. If the verification was successful, atest pattern Md1 is stored in a section of memory area D in a functionalblock 21. Prior to using new data D1, it is not the entire memory area Dthat is checked for accuracy and validity, but instead it is checkedonly whether the correct test pattern Md1 has been stored in the rightlocation in memory area D.

[0041] The overall configuration, made up of new computer program P1 andnew data D1, is able to run only once both the new computer program P1and new data D1 have been successfully verified. The execution ofcomputer program P1, using data D1, is illustrated in functional block19. It is then branched back to the beginning of the method again, tofunctional block 10. An additional verification of memory areas P and/orD may be implemented before each additional execution of new computerprogram P1, using new data D1, or it may occur at regular or irregularintervals. Test patterns Mp1, Md1 are stored in a nonvolatile manner inmemory device 1 of control unit 2, so that this data are available aftera new start-up (reset) of control unit 2.

[0042] If backup A0′ of the control program is not generatedsuccessfully at the beginning of the method (query block 12), thedeletion is denied, and thus the reprogramming of memory area P as well,so that control program A0 remains active there. If the verification ofmemory area P fails (query block 15), the deletion and thus thereprogramming of memory area D too, is denied, so that backup A0′ of thecontrol program remains active there. However, if memory area P issuccessfully verified, but the verification of memory area D fails(query block 18), computer program P1 is not executed at all or is notexecuted using new data D1. Only new control program A1 may be executedfor the possible reprogramming of memory area D on the basis of validdata D1. The verification of newly programmed memory areas P and D infunctional blocks 14 and 17 may be implemented in the form of ahash-total calculation or a signature check.

1-16 (canceled).
 17. A method of operating a control unit forcontrolling at least one function of a motor vehicle, the control unitcontrolling the at least one function by executing a computer programthat is at least partially stored in a memory device associated with thecontrol unit and by using data at least partially stored in the memorydevice, the method comprising: verifying whether modification of atleast one of the computer program at least partially stored in thememory device and the data at least partially stored in the memorydevice is authorized; and at least one of executing a modified computerprogram and using a modified data only if the at least one of themodified computer program and the modified data has been verified asbeing authorized.
 18. The method as recited in claim 17, wherein themodification of the at least one of the computer program and the dataincludes erasing of a first memory area of the memory device where theat least one of the computer program and the data is stored, and storingthe at least one of the modified computer program and the modified datain the memory device.
 19. The method as recited in claim 18, wherein theerasing of the first memory area of the memory device and the storing ofthe at least one of the modified computer program and the modified datain the memory device is initiated by a control program stored in thememory device.
 20. The method as recited in claim 19, wherein theerasing of the first memory area where the at least one of the computerprogram and the data is stored is initiated only if the control programhas been successfully copied as a backup into a second memory areaoutside of the first memory area to be erased.
 21. The method as recitedin claim 20, wherein, in addition to the at least one of the modifiedcomputer program and the modified data stored in the memory device, amodified control program is stored in the memory device.
 22. The methodas recited in claim 21, wherein, following the erasing of the memorydevice and the storing of the modified computer program in the memorydevice, erasing of the memory device and storing of the modified data isinitiated only if the modified computer program has been verified asbeing authorized.
 23. The method as recited in claim 20, wherein thestoring of the at least one of the modified computer program and themodified data in the memory device is initiated by the copied backup ofthe control program.
 24. The method as recited in claim 22, whereinverification of the at least one of the modified computer program andthe modified data is initiated by the modified control program.
 25. Themethod as recited in claim 17, further comprising: storing theverification result in the control unit in a nonvolatile manner.
 26. Themethod as recited in claim 25, further comprising: storing test samplesin memory areas of the memory device that contain the at least one ofthe modified computer program and the modified data that have beenverified as being authorized.
 27. The method as recited in claim 26,wherein, to verify the at least one of the modified computer program andthe modified data, content of predefined locations of the memory devicestoring the at least one of the modified computer program and themodified data.
 28. The method as recited in claim 17, wherein one of ahash-total calculation and a signature check is used to verify the atleast one of the modified computer program and the modified data.
 29. Acomputer-readable medium for storing a control program for a controlunit, the control program performing, when executed by a computingdevice of the control unit, the steps of: verifying whether modificationof at least one of a first computer program at least partially stored ina memory device and data at least partially stored in the memory deviceis authorized; and at least one of executing a modified computer programand using a modified data only if the at least one of the modifiedcomputer program and the modified data has been verified as beingauthorized.
 30. A control program for a control unit, the controlprogram performing, when executed by a computing device of the controlunit, the steps of: verifying whether modification of at least one of afirst computer program at least partially stored in a memory device anddata at least partially stored in the memory device is authorized; andat least one of executing a modified computer program and using amodified data only if the at least one of the modified computer programand the modified data has been verified as being authorized.
 31. Thecontrol program as recited in claim 30, wherein the control program isstored on a flash memory device.
 32. A control unit, comprising: aprogrammable memory device storing at least a portion of a computerprogram and data; a computing device for executing the computer programfor performing a desired control using the data; and means forimplementing, at least following a modification of at least one of thecomputer program stored in the memory device and the data stored in thememory device, a verification of the at least one of the modifiedcomputer program and the modified data as being authorized, and forpreventing at least one of an execution of the modified computer programand a use of the modified data until the at least one of the modifiedcomputer program and the modified data have been verified as beingauthorized.